Accepting request 738529 from security:tls

OBS-URL: https://build.opensuse.org/request/show/738529 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-1_1?expand=0&rev=9
2019-11-20 12:42:29 +00:00 · 2019-11-20 12:42:29 +00:00 · 9551f15083
commit 9551f15083
parent bd961d7a0d b1d4609f8b
9 changed files with 10802 additions and 106 deletions
--- a/0001-build_SYS_str_reasons-Fix-a-crash-caused-by-overlong.patch
+++ b/0001-build_SYS_str_reasons-Fix-a-crash-caused-by-overlong.patch
@ -1,79 +0,0 @@
 From fac9200a881a83bef038ebed628ebd409786a1a6 Mon Sep 17 00:00:00 2001
 From: Vitezslav Cizek <vcizek@suse.com>
 Date: Tue, 4 Jun 2019 13:24:59 +0200
 Subject: [PATCH] build_SYS_str_reasons: Fix a crash caused by overlong locales
 The 4 kB SPACE_SYS_STR_REASONS in crypto/err/err.c isn't enough for some locales.
 The Russian locales consume 6856 bytes, Ukrainian even 7000.
 build_SYS_str_reasons() contains an overflow check:
 if (cnt > sizeof(strerror_pool))
    cnt = sizeof(strerror_pool);
 But since commit 9f15e5b911ba6053e09578f190354568e01c07d7 it no longer
 works as cnt is incremented once more after the condition.
 cnt greater than sizeof(strerror_pool) results in an unbounded
 OPENSSL_strlcpy() in openssl_strerror_r(), eventually causing a crash.
 When the first received error string was empty or contained only
 spaces, cur would move in front of the start of the strerror_pool.
 Also don't call openssl_strerror_r when the pool is full.
 Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
 Reviewed-by: Richard Levitte <levitte@openssl.org>
 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
 (Merged from https://github.com/openssl/openssl/pull/8966)
 ---
 crypto/err/err.c | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)
 diff --git a/crypto/err/err.c b/crypto/err/err.c
 index 57399f82ad..cf3ae4d3b3 100644
 --- a/crypto/err/err.c
 +++ b/crypto/err/err.c
@@ -188,8 +188,8 @@ static ERR_STRING_DATA *int_err_get_item(const ERR_STRING_DATA *d)
 }
 #ifndef OPENSSL_NO_ERR
 -/* A measurement on Linux 2018-11-21 showed about 3.5kib */
 -# define SPACE_SYS_STR_REASONS 4 * 1024
 +/* 2019-05-21: Russian and Ukrainian locales on Linux require more than 6,5 kB */
 +# define SPACE_SYS_STR_REASONS 8 * 1024
 # define NUM_SYS_STR_REASONS 127
 static ERR_STRING_DATA SYS_str_reasons[NUM_SYS_STR_REASONS + 1];
@@ -223,21 +223,23 @@ static void build_SYS_str_reasons(void)
         ERR_STRING_DATA *str = &SYS_str_reasons[i - 1];
         str->error = ERR_PACK(ERR_LIB_SYS, 0, i);
 -        if (str->string == NULL) {
 +        /*
 +         * If we have used up all the space in strerror_pool,
 +         * there's no point in calling openssl_strerror_r()
 +         */
 +        if (str->string == NULL && cnt < sizeof(strerror_pool)) {
             if (openssl_strerror_r(i, cur, sizeof(strerror_pool) - cnt)) {
                 size_t l = strlen(cur);
                 str->string = cur;
                 cnt += l;
 -                if (cnt > sizeof(strerror_pool))
 -                    cnt = sizeof(strerror_pool);
                 cur += l;
                 /*
                  * VMS has an unusual quirk of adding spaces at the end of
 -                 * some (most? all?) messages.  Lets trim them off.
 +                 * some (most? all?) messages. Lets trim them off.
                  */
 -                while (ossl_isspace(cur[-1])) {
 +                while (cur > strerror_pool && ossl_isspace(cur[-1])) {
                     cur--;
                     cnt--;
                 }
 -- 
 2.21.0
--- a/openssl-1.1.0-no-html.patch
+++ b/openssl-1.1.0-no-html.patch
@ -1,7 +1,8 @@
-diff -up openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl.nohtml openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl
+Index: openssl-1.1.1d/Configurations/unix-Makefile.tmpl
--- openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl.no-html	2016-04-19 16:57:52.000000000 +0200
+===================================================================
-+++ openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl	2016-07-18 13:58:55.060106243 +0200
+--- openssl-1.1.1d.orig/Configurations/unix-Makefile.tmpl	2019-09-11 15:38:17.788265421 +0200
-@@ -288,7 +288,7 @@ install_sw: all install_dev install_engi
+++ openssl-1.1.1d/Configurations/unix-Makefile.tmpl	2019-09-11 15:38:35.640368636 +0200
@@ -544,7 +544,7 @@ install_sw: install_dev install_engines
 uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev
@ -9,4 +10,4 @@ diff -up openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl.nohtml openssl-1.1
 +install_docs: install_man_docs
 uninstall_docs: uninstall_man_docs uninstall_html_docs
- 	$(RM) -r -v $(DESTDIR)$(DOCDIR)
+ 	$(RM) -r $(DESTDIR)$(DOCDIR)
--- a/openssl-1.1.1c.tar.gz
+++ b/openssl-1.1.1c.tar.gz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:f6fb3079ad15076154eda9413fed42877d668e7069d9b87396d0804fdb3f4c90
 size 8864262
--- a/openssl-1.1.1c.tar.gz.asc
+++ b/openssl-1.1.1c.tar.gz.asc
@ -1,16 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCgAdFiEEeVOsH7w9yLOykjk+1enkP3357owFAlztM8IACgkQ1enkP335
 7oxQwQ/9G4kkoJC0pat5P4uNBgVyxmXso63Eea91QYGC39BABSL+KpEzfyJtFwqR
 36EAI8f5L5iGRKuBKerWtP8YUZ9Jc0Yf/a1R7sPGKh/0hor6dWhU1fh5x3HCatBC
 TanYbgXgAQhNHQcwVG6qdvHIwtb9so5NtDB0cKNcegoH6D0IOUtQmYrqXiovsc3K
 DwqgUL2ctUvDmroJVE4lQ6zpz239D3UoeSiTWAVGy/GudpQgx/9v6fqwO91/tyWk
 Grlpf2v320dLCbCXrbbW4lPq7IeoIkTgPwnVlyLMrm4Ht+Ck6KPgbUyRaVpSuJum
 6geA9Miczekv3PhPkF2/ltKwRLUt1TmujBdNTAxYXX6VWw32oh5YSQ2wTVZgvCN/
 HJvSW5N2fuEsO8jYX/0RxZjGrbsGyCXtXqElwmETO8JX+wuc6Rd1IFdDKDszUbLh
 HEtMBdb/Dhv//gNkEwrPHw9tLH8nd+B4dCJNC/4+Au54t6SpRT2sV6FVNA4Ytkpu
 O1OCs2cmIuGFBylDDZCSCWG+1U/dUVoqRh0ufg9PcFDdeicp6Q6cqyBNEVNXG7HU
 g7c5zf0XOT7m3+G+d+pPvvzOsZrTKVlOcsAlI7aiqTFFtUUGpHtjm03OP2SKrakb
 bPjVbZWzjvRe3st8+GXdv2/i0SuVZW0mTE+6+pPd1/6VlRGOqmI=
 =+39w
 -----END PGP SIGNATURE-----
--- a/openssl-1.1.1d.tar.gz
+++ b/openssl-1.1.1d.tar.gz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:1e3a91bc1f9dfce01af26026f856e064eab4c8ee0a8f457b5ae30b40b8b711f2
 size 8845861
--- a/openssl-1.1.1d.tar.gz.asc
+++ b/openssl-1.1.1d.tar.gz.asc
@ -0,0 +1,11 @@
 -----BEGIN PGP SIGNATURE-----
 iQEzBAABCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl13oWoACgkQ2cTSbQ5g
 RJH0Agf+IekQXtSPsrn/5RMgXFGSyK+S1BpFhyoJRvDocVZAxwgvd4F1fcYkFVXH
 5+Q6o6s6tIDb+VkuIajcDxTQvrFoXKWMbsFsu3NBAan5R0OlYINRYtXULg0ZqQv4
 zxclCSLQTpuMyptuGGbg0/8+9IAhGFk2XSA5EEI+SC6lswRQiT7p6dbULj4CvH3m
 7mqovojAAaEJpgfG8b+L+QBJ4XId99uC6tiLM1tTMCsn1ErLsTd366fzEpC1w12a
 V/gWQ1mVs+bmSRySPx8mO4CpHfhAI+sZrSsWG+UXP9Guf9YKHFLJDiSrX7EmvszR
 B+/LvZqce4iCnwCUoIuYhxM6EybDdQ==
 =v5CI
 -----END PGP SIGNATURE-----
--- a/openssl-1_1.changes
+++ b/openssl-1_1.changes
@ -1,3 +1,64 @@
 -------------------------------------------------------------------
 Mon Oct 14 18:36:37 UTC 2019 - Jason Sikes <jsikes@suse.com>
 - Merged upstream changes to allow NULL salt values in EVP_PBE_scrypt().
  * Revealed by nodejs12 during bsc#1149572.
  * Modified openssl-jsc-SLE-8789-backport_KDF.patch
 -------------------------------------------------------------------
 Mon Oct 14 08:45:39 UTC 2019 - Adam Majer <adam.majer@suse.de>
 - openssl-jsc-SLE-8789-backport_KDF.patch: retain old behaviour
  of EVP_PBE_scrypt. When key output buffer is not provided,
  only check if the input parameters are in valid range and
  ignore passphrase/salt fields as they are only used in
  the actual calculation.
 -------------------------------------------------------------------
 Wed Sep 11 09:32:16 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>
 - Update to 1.1.1d (bsc#1133925, jsc#SLE-6430)
  * Fixed a fork protection issue. OpenSSL 1.1.1 introduced a rewritten random
    number generator (RNG). This was intended to include protection in the
    event of a fork() system call in order to ensure that the parent and child
    processes did not share the same RNG state. However this protection was not
    being used in the default case.
    (bsc#1150247, CVE-2019-1549)
  * Compute ECC cofactors if not provided during EC_GROUP construction. Before
    this change, EC_GROUP_set_generator would accept order and/or cofactor as
    NULL. After this change, only the cofactor parameter can be NULL.
    (bsc#1150003, CVE-2019-1547)
  * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
    (bsc#1150250, CVE-2019-1563)
  * For built-in EC curves, ensure an EC_GROUP built from the curve name is
    used even when parsing explicit parameters, when loading a serialized key
    or calling EC_GROUP_new_from_ecpkparameters()/EC_GROUP_new_from_ecparameters().
  * Early start up entropy quality from the DEVRANDOM seed source has been
    improved for older Linux systems.
  * Changed DH_check to accept parameters with order q and 2q subgroups.
    With order 2q subgroups the bit 0 of the private key is not secret
    but DH_generate_key works around that by clearing bit 0 of the
    private key for those. This avoids leaking bit 0 of the private key.
  * Significantly reduce secure memory usage by the randomness pools.
  * Revert the DEVRANDOM_WAIT feature for Linux systems
 - drop 0001-build_SYS_str_reasons-Fix-a-crash-caused-by-overlong.patch (upstream)
 - refresh patches
  * openssl-1.1.0-no-html.patch
  * openssl-jsc-SLE-8789-backport_KDF.patch
 -------------------------------------------------------------------
 Tue Sep 10 19:26:34 UTC 2019 - Jason Sikes <jsikes@suse.com>
 - To avoid seperate certification of openssh server / client
  move the SSH KDF (Key Derivation Function) into openssl.
  * jsc#SLE-8789
  * Sourced from commit
    8d76481b189b7195ef932e0fb8f0e23ab0120771#diff-a9562bc75317360a2e6b8b0748956e34
    in openssl master (introduce the SSH KDF)
    and commit 5a285addbf39f91d567f95f04b2b41764127950d
    in openssl master (backport EVP/KDF API framework)
  * added openssl-jsc-SLE-8789-backport_KDF.patch
 -------------------------------------------------------------------
 Thu Jun  6 10:06:45 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>
--- a/openssl-1_1.spec
+++ b/openssl-1_1.spec
@ -21,7 +21,7 @@
 %define _rname  openssl
 Name:           openssl-1_1
 # Don't forget to update the version in the "openssl" package!
-Version:        1.1.1c
+Version:        1.1.1d
 Release:        0
 Summary:        Secure Sockets and Transport Layer Security
 License:        OpenSSL
@ -43,8 +43,6 @@ Patch3:         openssl-pkgconfig.patch
 Patch4:         openssl-DEFAULT_SUSE_cipher.patch
 Patch5:         openssl-ppc64-config.patch
 Patch6:         openssl-no-date.patch
 # PATCH-FIX-UPSTREAM https://github.com/openssl/openssl/pull/8966
 Patch7:         0001-build_SYS_str_reasons-Fix-a-crash-caused-by-overlong.patch
 # PATCH-FIX-UPSTREAM jsc#SLE-6126 and jsc#SLE-6129
 Patch8:         0001-s390x-assembly-pack-perlasm-support.patch
 Patch9:         0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch
@ -52,6 +50,7 @@ Patch10:        0003-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch
 Patch11:        0004-s390x-assembly-pack-fix-formal-interface-bug-in-chac.patch
 Patch12:        0005-s390x-assembly-pack-import-chacha-from-cryptogams-re.patch
 Patch13:        0006-s390x-assembly-pack-import-poly-from-cryptogams-repo.patch
 Patch14:        openssl-jsc-SLE-8789-backport_KDF.patch
 BuildRequires:  pkgconfig
 Conflicts:      ssl
 Provides:       ssl
--- a/openssl-jsc-SLE-8789-backport_KDF.patch
+++ b/openssl-jsc-SLE-8789-backport_KDF.patch